Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker

house. Once I had logged in using Lewis’s account, it took me only a few
minutes to discover that Joe hadn’t kept his security patches up to date. So
much for Fort Knox. By exploiting a flaw in a program called “rdist,” I
popped root on his system. 
Let the games begin
. When I listed the processes
he was running, I was surprised to see “crack,” the popular program for
cracking passwords, written by a guy named Alec Muffett. Why would Joe
be running that?
It didn’t take long to find the password file that crack was working on. I
stared at the screen, stunned by what I was seeing.
Joe McGuckin, Sun Microsystems contractor, was cracking the
passwords of the company’s Engineering Group.
I couldn’t fucking believe this. It was as if I had just taken a walk in the
park and found a bag of hundred-dollar bills.
After I copied off the cracked passwords, my next hunt was through
Joe’s emails, searching on the keywords 
modem
and 
dial-up
. Bingo! I found
an internal Sun email containing the information I was hoping for. It read,
in part:
From: kessler@sparky (Tom Kessler)
To: ppp-announce@comm
Subject: New PPP server
Our new ppp server (mercury) is now up and running, available for
you to test your connection. The phone number for mercury is 415
691-9311.
I also copied the original Sun password files (which contained the
encrypted password hashes) that Joe was in the process of cracking, in case
I lost access to his machine. Included in the cracked-password list was Joe’s
own Sun password, which as I recall was something like “party5.” (Crack
had broken that one, too.) A walk in the park.
That night, I periodically logged in to see if Joe was online and active.
Even if he noticed that there had been an incoming call on his modem, it
might not arouse his suspicion (I hoped) because he would remember
giving Lewis access. Sometime after midnight, Joe’s computer went quiet; I
figured he had nodded off for the night. Using the “Point-to-Point”

protocol, I logged into Sun’s “mercury” host posing as Joe’s workstation,
named “oilean.” Voilà! My computer was now an official host on Sun’s
worldwide network!
Within a couple of minutes, with the help of rdist, I had managed to get
root, since Sun, like Joe, had been lax about updating the security patches. I
set up a “shell” account and installed a simple backdoor giving me future
root access.
From there, I targeted the Engineering Group. This was totally familiar
stuff, but at the same time totally exhilarating. I was able to log in to most
of the Sun machines in Engineering, thanks to Joe’s efforts in cracking that
group’s passwords.
So Joe had, without even knowing it, set me up to grab yet another
treasure: the latest and greatest version of the SunOS, a flavor of the Unix
operating system developed by Sun Microsystems for its server and
workstation systems. It wasn’t hard to find the master machine storing the
SunOS source code. Even when compressed, though, this was one
humongous package of data—not as massive as DEC’s VMS operating
system, but still massive enough to be daunting.
And then I had an idea that might make the transfer easier. Targeting the
Sun office in El Segundo, just south of the Los Angeles International
Airport, I began by doing queries on several workstations to learn what
devices were attached to them. I was looking for a user who had a tape
drive connected to his computer. When I found one, I called him on the
phone and said I was with the Sun Engineering Group in Mountain View. “I
understand you have a tape drive connected to your workstation,” I said.
“One of my engineers is at a client site in LA, and I need to transfer some
files to him, but they’re pretty large to transfer over a modem. Do you have
a blank tape you could stick in your drive, so I could write the data to that
instead?”
He left me hanging on the phone while he hunted down a blank tape.
After a few minutes, he came back on the line and told me he was shoving
it in the drive. I had encrypted the compressed source code into an
unintelligible blob of data, just in case he got curious and took a look. I
transferred a copy to his workstation, then gave a second command to write
it to the tape.
When the transfer to tape was finally complete, I called him back. I
asked him if he wanted me to send him a replacement tape, but as I

expected, he said it was okay, I didn’t need to do that. I said, “Can you put
it in an envelope for me, and mark it with the name ‘Tom Warren’? Are you
going to be in the office for the next couple of days?”
He started telling me about when he would and wouldn’t be available. I
interrupted him: “Hey, there’s an easier way. Can you just leave it with the
receptionist, and I’ll tell Tom to ask her for it?” Sure, he’d be glad to do
that.
I called my buddy Alex and asked him if he’d swing by the Sun office
and pick up an envelope the receptionist was holding for “Tom Warren.” He
was a little reluctant, knowing there was always a risk. But he overcame
that a moment later and agreed with what sounded like a smile on his face
—I suppose as he remembered the kick he always got from participating in
my hacking adventures.
I felt triumphant. But here’s the odd part: when I got the tape, I didn’t
even spend much time looking at the code. I had succeeded in my
challenge, but the code itself was of less interest to me than the
achievement.
I continued acquiring passwords and software treasures from Sun, but
constantly having to dial up to the modems in Mountain View was chancy. I
wanted another access point into Sun’s network.
Time for a social-engineering attack. Using my cloned cell phone, I
programmed in a number with the 408 area code for Mountain View, which
I would need if the system administrator in Sun’s Denver sales office
wanted to call me back to verify that I was who I claimed to be. Using a
tool available to all Sun staffers, I pulled up a list of employees, chose Neil
Hansen at random, and wrote down his name, phone number, building
number, and employee number. Then I called the main number at Sun’s
Denver sales office and asked for the computer support person.
“Hi, this is Neil Hansen with Sun in Mountain View. Who’s this?” I
asked.
“Scott Lyons. I’m the support person in the Denver office.”
“Cool. Later today I’m flying to Denver for some meetings. I was
wondering if you guys had a local dial-up number so I can access my email
without having to make long-distance calls back to Mountain View.”

“Sure, we have a dial-up, but I have to program it to dial you back. The
system does that for security reasons,” he told me.
“No problem,” I said. “The Brown Palace Hotel has direct-dial numbers
for the guest rooms. When I get into Denver later this evening, I can give
you the number.”
“What’s your name again?” he asked, sounding a little suspicious.
“Neil Hansen.”
“What’s your employee number?” he demanded.
“10322.”
He put me on hold for a moment, presumably to check me out. I knew
he was using the same tool I’d used to look up Hansen’s information.
“Sorry, Neil, I just had to verify you in the employee database. Give me
a call when you get in, and I’ll set that up for you.”
I waited until just before quitting time, called Scott back, and gave him a
local 303 (Denver) number that I had cloned to my cell phone. When I
started a connection, a callback would come to the cell phone, I’d manually
answer it, and then my modem would make a connection. For several days,
I used this access point to get into Sun’s internal network.
But then, abruptly, the callbacks stopped working. Damn! What had
happened?
I dialed back into Mountain View and accessed the system in Denver.
Oh, shit! Scott had fired off an urgent email to Brad Powell with Sun’s
Security Department. He had turned on the logging feature on the dial-up I
was using and captured all my session traffic. He quickly realized that I was
not checking my mail at all but poking around in places I shouldn’t be. I
deleted the log files so there wouldn’t be any evidence of my visits and
immediately stopped using the cell phone number I had given him.
Did this discourage me from hacking into Sun? Of course not. I just
went back to using Sun’s Mountain View dial-up to find more connections
into SWAN (Sun’s Wide-Area Network) in case I got locked out of the
system. I wanted to establish multiple access points so I’d always have a
variety of ways of getting in. I targeted all of Sun’s sales offices in the
United States and Canada, each of which had its own local dial-up so its
staff could access SWAN without needing to make long-distance calls to the
company’s Mountain View headquarters. Compromising these offices was a
piece of cake.

While exploring Sun’s network, I stumbled across a server with the
hostname “elmer,” which stored the entire database of bugs for all of Sun’s
operating systems. Each entry included everything from the initial report or
detection of a bug, to the name of the engineer assigned to tackle the issue,
to the specific new code implemented to fix the problem.
A typical bug report read:
Synopsis: syslog can be used to overwrite any system file
Keywords: security, password, syslog, overwrite, system
Severity: 1
Priority: 1
Responsible Manager: kwd
Description:
syslog and syslogd feature of LOG_USER can be used to
overwrite *any* system file. The obvious security violation
is using syslog to overwrite /etc/passwd. This can be done to
remote systems if LOGHOST is not set to localhost.
bpowell: breakin code removed for security reason
If you need a copy of the breakin code see Staci Way (contractor)
(staciw@castello.corp).
Work around: NONE except turning off syslog which is
unacceptable
Interest 
list: 
brad.powell@corp, 
dan.farmer@corp,
mark.graff@Corp
Comments: this one is pretty serious. It has already been used on
sun-barr to break root, and is one of the few security bugs
that work for 4.1.X as well as 2.X e.g. ANY Sun released
OS.
To use one of my favorite expressions, this again was like finding the
Holy Grail. I now had access to every bug discovered internally at Sun as
well as every one reported by any other source. It was like putting a quarter
into a slot machine and winning the progressive jackpot with the first pull
of the handle. The information from this database was going into my bag of
tricks. I started thinking of the tune to the old 

Download 2,97 Mb.

Do'stlaringiz bilan baham: